Bug#514807: Regression in libgnutls security update

[Simon Josefsson]

Florian Weimer <fw at deneb.enyo.de> writes:

> * Simon Josefsson:
>
>> Florian Weimer <fw at deneb.enyo.de> writes:
>>
>>> Simon, could we make the harmless variant (X.509v1 certificate set as
>>> trusted is accepted as a root CA, but intermediate X.509v1
>>> certificates aren't accepted) the default in etch?
>
>> It may be that the practical problems are more important than the
>> potential security problem here, which would argue for using the patch.
>
> This seems to be the case.
>
> I would like to apply the following patch to etch and lenny.  Any
> objections?

No, but please try to make sure documentation is clear about what this
modification means for users and developers, since you are deviating
from upstream code.  The GnuTLS manual will not be consistent with the
behaviour people will see with GnuTLS on Debian.  Maybe README.Debian or
similar is a good place to put this information in?  NEWS.Debian?
changelog.Debian?  Or all of them.  Maybe point to a wiki page, that
will allow us to provide more information to users in the future.

/Simon

>> diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
>> index 7872f20..fe7ad22 100644
>> --- a/lib/gnutls_cert.c
>> +++ b/lib/gnutls_cert.c
>> @@ -280,6 +280,7 @@ gnutls_certificate_allocate_credentials (gnutls_certificate_credentials_t *
>>  
>>    (*res)->verify_bits = DEFAULT_VERIFY_BITS;
>>    (*res)->verify_depth = DEFAULT_VERIFY_DEPTH;
>> +  (*res)->verify_flags = GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
>>  
>>    return 0;
>>  }